Exploitation Summary
CVE-2009-2493 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
References (36)
Core 36
Core References
Patch, Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-11.html
Broken Link vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2034
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-223A.html
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621
Third Party Advisory x_refsource_confirm
http://www.openoffice.org/security/cves/CVE-2009-2493.html
Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-13.html
Third Party Advisory x_refsource_confirm
http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-286A.html
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035
Broken Link x_refsource_misc
http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0366
Third Party Advisory vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=126592505426855&w=2
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36187
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-342A.html
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2232
Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-10.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36374
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/38568
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037
Patch, Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/advisories/apsa09-04.html
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36746
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/41818
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/35967
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
Broken Link vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-195A.html
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055
Broken Link vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473
Scores
CVSS v3
8.8
EPSS
0.4339
EPSS Percentile
98.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2009-11-04
CWE
CWE-264
CWE-94
Status
published
Products (10)
microsoft/visual_c\+\+
2005 sp1
microsoft/visual_c\+\+
2008 (2 CPE variants)
microsoft/visual_studio
2003 sp1
microsoft/visual_studio
2005 sp1
microsoft/visual_studio
2008 (2 CPE variants)
microsoft/windows_2000
microsoft/windows_2003_server
microsoft/windows_server_2008
(2 CPE variants)
microsoft/windows_vista
(3 CPE variants)
microsoft/windows_xp
(2 CPE variants)
Published
Jul 29, 2009
Tracked Since
Feb 18, 2026